Software behavior monitoring and verification system

ABSTRACT

The present invention relates to a software behavior monitoring and verification system, which is composed of three parts including a software behavior certificate, a three-party software behavior monitor, and a real-time software behavior verification system. The software behavior certificate is formed according to three-party communications data packets in a correct transaction process among a user, an E-Commerce website, and a third-party payment platform; the three-party software behavior monitor is a data packet monitor installed on the E-Commerce website, the third-party payment platform, and the user client; after receiving data packets of interaction information in the transaction that are respectively submitted by the three-party monitor, the real-time software behavior verification system extracts and integrates key sequences and information in the data packets, and compares a user behavior interaction sequence with the software behavior model in real time according to a global unique order number, and sends an alarm and terminates the transaction in the case of illegal behaviors such as disorder and identity spoofing. By using key parameters such as URL exchanged among the three parties, a legal normal interaction process in the transaction of the three parties is defined, and a software behavior certificate is provided.

BACKGROUND OF THE PRESENT INVENTION

1. Field of Invention

The present invention relates to the field of E-Commerce online transaction security and monitoring technologies.

2. Description of Related Arts

With the development of Internet, E-Commerce has gradually become a new mode for commerce activities of people, and become an important business mode in international trade. Based on computer technology, communications technology, and network technology, E-Commerce uses methods such as electronic data exchange, emails, and electronic payment to implement electronic, digital, and network business of the whole commerce activities. With the emergence of electronic transaction platforms, the whole procedures of sales, transaction, and confirmation are replaced by online transaction. Electronic Brokerage System (EBS) of the early bank transaction system of the first generation has developed to individual transaction platforms researched and developed by banks, and then to multi-subject transaction platforms provided by third parties and application program interfaces (APIs) demanded by the market. The development process of electronic transaction is rather rapid, but it also faces many opportunities and regulations.

In recent years, the E-Commerce modes mainly include B2C, B2B, and C2C. However, these modes generally adopts third-party payment mode. Users, E-Commerce websites, and third-party payment platforms are three main subjects in the current electronic transaction process. The aforementioned three parties trust each other on the basis of technologies such as signature, verification, and encryption, and invoke interfaces from each other for communications, thereby cooperating to complete the whole online transaction process. However, since the current software development technology is imperfect, user client software, E-Commerce websites, and even third-party payment platforms may have communications interface vulnerabilities and logic errors.

The present invention faces the situation that malicious users who are legally registered often use these vulnerabilities to be engaged in illegal behaviors, and make illegal profits for themselves. Moreover, because the vulnerabilities are diversified and hard to detect and protect, user behavior is changeful, and network platforms are in a distributed structure and have loose coupling, conventional security methods cannot ensure the security of current electronic network transactions.

SUMMARY OF THE PRESENT INVENTION

An object of the present invention is to overcome the disadvantages of the prior art. The present invention discloses a software behavior monitoring and verification system, and provides a security ensuring mode in which a user, an E-Commerce platform, and a third-party payment platform cooperate with one another. The transaction process is monitored throughout the transaction, and an alarm can be sent in real time.

The technical solutions provided by the present invention are:

a software behavior monitoring and verification system, where the system is composed of three parts comprising a software behavior certificate, a three-party software behavior monitor, and a real-time software behavior verification system.

The software behavior certificate is formed by a professional according to three-party communications data packets in a correct transaction process among a user, an E-Commerce website, and a third-party payment platform to define normal legal interaction behavior of the three parties, and the software behavior certificate is a software behavior model formed corresponding to interaction modes between the E-Commerce website, the third-party payment platform, and a user client.

The three-party software behavior monitor is a data packet monitor installed on the E-Commerce website, the third-party payment platform and the user client, and is used to monitor, in real time, data packets transmitted between the three parties in a complete transaction, and extract and integrate necessary parameter information (comprising a URL address and a parameter and the like) in the data packets, so as to send key information to the real-time software behavior verification system. The three-party software behavior monitor is technically based on jpcap, and mainly captures HTTP data packets, and extracts URL addresses and parameter information in the data packets, a serial number of the E-Commerce and a serial number of the third-party payment platform in the three parties of the transaction, and then establishes a socket connection with the real-time software behavior verification system, and sends the key information to the real-time software behavior verification system by using a TCP data packet.

After receiving data packets of interaction information in the transaction that are respectively submitted by the three-party software behavior monitor, the real-time software behavior verification system extracts and integrates key sequences and information in the data packets, and compares a user behavior interaction sequence with the software behavior model in real time according to a global unique order number, and sends an alarm and terminates the transaction in the case of illegal behaviors comprising disorder and identity spoofing.

Software behavior defined in the software behavior certificate has behavior logic, which is reflected in that:

1) each transition_node in the software behavior certificate is a behavior node; data packets captured by any of the three parties are grouped into two categories: received message and sent message, which respectively correspond to input and output in the transition_node; the received message and the sent message need to meet such a logical sequence that the received message is prior to the sent message; and the captured behavior sequence is compared with the corresponding transition_node, and once the logical sequence is not met, an alarm is sent;

2) in the meantime, the real-time software behavior verification system further compares a current subject of the received message or the sent message with a subject name recorded by an attribute attri in the certificate behavior node (transition_node); if they are inconsistent, it indicates that an unauthorized user performs an identity spoofing attack, and an alarm is sent immediately;

3) a place_node defines a logical sequence between behavior nodes, and the behavior nodes (transition_node) are arranged according to a particular transaction sequence; and once a skip or disorder occurs, it indicates that the legal normal transaction process is broken and an irregular operation occurs, and an alarm is sent immediately.

The innovative points of the present invention and the beneficial effects thereof are as follows: by using key parameters such as URL exchanged among the three parties, a legal normal interaction process in the transaction of the three parties is defined, and a software behavior certificate is provided. The software behavior certificate is formed by a professional according to three-party communications data packets in a correct transaction process among a user, an E-Commerce website, and a third-party payment platform to define normal legal interaction behavior of the three parties. The present invention provides a security ensuring mode in which the user, the E-Commerce platform, and the third-party payment platform cooperate with one another. The transaction process is monitored throughout the transaction, and an alarm can be sent in real time.

BRIEF DESCRIPTION OF THE DRAWINGS

FIG. 1 is an architecture diagram of software behavior monitoring and verification.

FIG. 2 is a flowchart of a three-party software behavior monitor.

FIG. 3 is a flowchart of a real-time software behavior verification system.

FIG. 4 is a format (place_node) of a software behavior certificate.

FIG. 5 is a format (transition_node) of a software behavior certificate.

DETAILED DESCRIPTION OF THE PREFERRED EMBODIMENTS

The architecture of the whole software behavior monitoring and verification system is shown in FIG. 1.

The whole software behavior monitoring and verification system stores behavior of real authorized users and uses the behavior to form a software behavior certificate, and performs real-time comparison and one-step verification on the three-party interaction behavior sequence and the software behavior certificate in the transaction process mainly according to a global unique order number; once any party has illegal behavior such as disorder of messages or identity spoofing, an alarm is sent or certain measures are taken.

The three-party software behavior monitor: a data packet monitor installed on an E-Commerce website, a third-party payment platform, and a user client, and used to monitor, in real time, data packets transmitted between the three parties in a complete transaction, and extract and integrate necessary parameter information in the data packets, so as to send key information to the real-time software behavior verification system. The monitor is technically based on jpcap, and mainly captures HTTP data packets, and extracts URL addresses and parameter information in the data packets, a serial number of the E-Commerce website, and a serial number of the third-party payment platform in the three parties of the transaction. Subsequently, the monitor establishes a socket connection with the real-time software behavior verification system, and sends the key information to the real-time software behavior verification system by using a TCP data packet. The three-party software behavior monitoring process is shown in FIG. 2;

the real-time software behavior verification system: after establishing a socket connection with the three-party software behavior monitor, the real-time software behavior verification system receives the TCP data packet sent by the three-party software behavior monitor, and extracts and integrates the key sequence and information in the data packets. Then, the real-time software behavior verification system authenticates a user behavior interaction sequence against the software behavior model in real time according to a global unique order number, and sends an alarm and terminates the transaction in the case of illegal behaviors such as disorder and identity spoofing. FIG. 3 is a flowchart of the real-time software behavior verification system:

the software behavior certificate is formed according to interaction modes between the three parties, that is, the E-Commerce website, the third-party payment platform, and the user client, comprising the interaction modes between any two of them; the software behavior certificate is manually created by a professional, and is stored in a server in the format of an XML file.

The format of the software behavior certificate is shown in FIG. 4 and FIG. 5:

input is a key parameter (URL and the like) received by any of the three parties (user, E-Commerce website, and third-party payment platform); and output is a key parameter sent by the current party; the interaction information represents a software behavior sequence.

The software behavior defined in the software behavior certificate has certain behavior logic, which represents the interaction sequence of the three parties, premise conditions, and the like. Each transition_node in the software behavior certificate is a behavior node; the data packets captured by any of the three parties are grouped into two categories: received message and sent message, which respectively correspond to input and output in the transition_node; the received message and the sent message need to meet such a logical sequence that the received message is prior to the sent message; and the captured behavior sequence is compared with the corresponding transition_node; and once the logical sequence is not met, an alarm is sent. Meanwhile, the real-time software behavior verification system further compares a current subject of the received message or the sent message with a subject name recorded by an attribute attri in the certificate behavior node (transition_node); and if they are inconsistent, it indicates that an unauthorized user performs an identity spoofing attack, and an alarm is sent immediately. A place_node defines a logical sequence between behavior nodes, and the behavior nodes (transition_node) are arranged according to a particular transaction sequence; and once a skip or disorder occurs, it indicates that the legal normal transaction process is broken and an irregular operation occurs, and an alarm sent immediately. 

What is claimed is:
 1. A software behavior monitoring and verification system, wherein the system is composed of three parts comprising a software behavior certificate, a three-party software behavior monitor, and a real-time software behavior verification system, wherein the software behavior certificate is formed by a professional according to three-party communications data packets in a correct transaction process among a user, an E-Commerce website, and a third-party payment platform to define normal legal interaction behavior of the three parties, and the software behavior certificate is a software behavior model formed corresponding to interaction modes between the E-Commerce website, the third-party payment platform, and a user client; the three-party software behavior monitor is a data packet monitor installed on the E-Commerce website, the third-party payment platform and the user client, and is used to monitor, in real time, data packets transmitted among the three parties in a complete transaction, and extract and integrate necessary parameter information (comprising a URL address and a parameter) in the data packets, so as to send key information to the real-time software behavior verification system; the three-party software behavior monitor is based on jpcap, and mainly captures HTTP data packets, and extracts URL addresses and parameter information in the data packets, a serial number of the E-Commerce website and a serial number of the third-party payment platform in the three parties of the transaction, and then establishes a socket connection with the real-time software behavior verification system, and sends the key information to the real-time software behavior verification system by using a TCP data packet; and after receiving data packets of interaction information in the transaction that are respectively submitted by the three-party software behavior monitor, the real-time software behavior verification system extracts and integrates key sequences and information in the data packets; compares a user behavior interaction sequence with the software behavior model in real time according to a global unique order number, and sends an alarm and terminates the transaction in the case of illegal behaviors comprising disorder and identity spoofing.
 2. The software behavior monitoring and verification system as in claim 1, wherein software behavior defined in the software behavior certificate has behavior logic, which is reflected in that: 1) each transition_node in the software behavior certificate is a behavior node; data packets captured by any of the three parties are grouped into two categories: received message and sent message, which respectively correspond to input and output in the transition_node; the received message and the sent message need to meet such a logical sequence that the received message is prior to the sent message; and the captured behavior sequence is compared with the corresponding transition_node, and once the logical sequence is not met, an alarm is sent; 2) the real-time software behavior verification system further compares a current subject of the received message or the sent message with a subject name recorded by an attribute attri in the certificate behavior node (transition_node); and if they are inconsistent, it indicates that an unauthorized user performs an identity spoofing attack, and an alarm is sent immediately; 3) a place_node defines a logical sequence between behavior nodes, the behavior nodes (transition_node) are arranged according to a particular transaction sequence, and once a skip or disorder occurs, it indicates that the legal normal transaction process is broken and an irregular operation occurs, and an alarm is sent immediately. 